Legal obligations for online businesses

You must meet legal obligations when conducting business online—these are designed to protect you and your customers. It is your responsibility to identify the legal requirements that apply to your business.

All types of businesses will need to comply with relevant legislation and requirements and as a part of this, you should make sure that the online components of your business are also compliant.

Legal obligations and jurisdictions

The legal obligations that apply to your business can relate to various jurisdictions and environments:

  • federal (all of Australia)
  • state and territory (the states and territories that your business operates in)
  • international (the global market that your business operates in)
  • online (the activities that your business completes with customers online).

You should assess your online business activities and the geographic areas your business operates within and identify the legal obligations that apply.

You should then create a plan to ensure that all your business activities comply.

Legal obligations that apply to businesses are frequently updated—you should conduct regular reviews or sign up for updates to make you aware of any changes, or seek professional advice.

Read about:

Specific considerations for websites

If you have a website for your business, it is important to complete these policies and documentation:

  • privacy policy—check your privacy policy is compliant with Australian privacy law and is easily accessible on your website
  • website terms of use—a terms of use document that includes information on protecting your business ideas, disclaimers and rules applying to anyone who interacts with your website
  • terms and conditions—if you sell products online, include terms and conditions outlining the operations of your business sales, payment options, cancellation policies, consumer guarantees, and return and refund policies. You should also have a process for customer complaints.
  • client agreement—if you provide services online, include a client agreement. This outlines the relationship between your business and your clients and should contain information about payment, expectations, termination of the agreement, and the process for handling disputes.

There are also specific obligations around storing and collecting customer information, intellectual property and email marketing.

Legal obligations for storing and collecting customer information

If your online business stores and collects personal information from your customers, you are required, under the Privacy Act 1988, to make your customers aware of what you are storing.

Under the Act, your customers have the right to:

  • know why their personal information is collected, how it will be used and who it will be disclosed to
  • have the option of not identifying themselves or of using a pseudonym in certain circumstances
  • ask for access to their personal information (including their health information)
  • stop receiving unwanted direct marketing
  • ask for their personal information that is incorrect to be corrected
  • make a complaint about an organisation or agency that the Privacy Act covers if you think they've mishandled their personal information.

Personal information may include:

  • an individual's name, signature, address, phone number or date of birth
  • credit information
  • employee record information
  • photographs
  • location information from a mobile device.

You must inform your customers of what measures you have in place to protect their personal details, such as names, addresses and credit card details. For example, the use of SSL (secure socket layer) certificates, DCI-PSS (payment card industry data security standard) compliance and the use of encrypted data. This information must be accessible on your website.

Read more about the Privacy Act and your obligations.

To ensure that your business complies with the Privacy Act, it is recommended that you take the steps below.

  1. Determine what personal information you will be collecting from your customers.
  2. Ensure that you are clear about how the personal information will be stored.
  3. Determine how to protect this information according to the Privacy Act and associated Australian privacy principles.
  4. Prepare a privacy policy—this policy must be clear and inform customers about:
    • the personal information that will be collected
    • what you will do with that personal information
    • how you will protect the personal information.
  5. Seek legal advice on your privacy policy to ensure it meets requirements.
  6. Publish the privacy policy on your website.

Find out more about protecting privacy and information.

Legal obligations relating to intellectual property

Online businesses have an increased risk of intellectual property (IP) infringement due to the content shared online and the use of other people's intellectual property on websites or social media.

IP refers to the protectable ideas and information you may use to complete business.

Read more about intellectual property.

Types of IP

Type of IP What it protects

Provides the owner exclusive rights to copy or distribute creative work

In Australia, as soon as an idea or creative content is documented (on paper or electronically), it is protected by copyright

Patent Protects inventions and new processes
Trade marks

Used to identify goods and services as unique

Trade marks can be used to protect logos, words, letters, numbers, colours, phrases, sounds, scents, shapes, pictures, packaging and branding

Registered design Used to protect the way a product looks instead of how it functions

How to protect your IP

You will need to ensure that you take steps to protect your business IP through copyright.

Copyright is the legal right that the owner holds over their intellectual property.

You should take steps to protect your business ideas, business concepts and logos as soon as possible and register any trade mark or patent rights associated with your business.

To protect your IP:

  • identify your business IP—this can be anything unique to your business, including your business name, concept, processes and branding. If you hire contractors to design your website or branding, it's essential to obtain written evidence that you own the IP rights to that work
  • understand the different types of IP
  • keep your business ideas, branding and concept confidential until they are protected
  • register trade marks, patents or registered designs
  • be aware of others using your IP—regularly visit competitors' websites to ensure they are not infringing on your IP.

Visit IP Australia for more information about protecting your IP.

Using other's IP

You must obtain consent to use IP that belongs to someone else. For example, if you want to sell t-shirts showing popular cartoon characters, you need permission first from the IP owner.

Consider copyright rules and requirements when using images or content created by others on your website or social media accounts.

To help ensure that you don't infringe on another person's IP, it helps to be proactive.

  1. Search for copyright, trade marks and restrictions before using any material you don't own.
  2. Do not use any material from another person without obtaining written permission.
  3. If you are approached about an IP infringement from another person or business, immediately stop using the material in question.
  4. Seek legal advice for any reports of infringement.

Legal considerations for email marketing

In Australia, there are various rules and requirements for businesses to comply with when using email marketing.

Under the Spam Act 2003 (Cwlth), sending unsolicited commercial electronic messages is illegal. To comply with the Act, every business email (or phone message) you send must meet the following conditions:

  • consent—the recipient must have either expressly consented to receive your messages or must be an existing customer or individual who has some existing relationship with your business
  • identify—the message must accurately identify your business
  • unsubscribe—the message must contain a functional unsubscribe facility to allow the recipient to opt out from receiving further messages. You must honour unsubscribe requests within 5 working days.

According to the rules governing consent, you do not have the right to send a single unsolicited electronic message. Including an unsubscribe facility does not remove this constraint—even if you act on unsubscribe requests immediately.

However, it is possible to buy a list of contacts matching your target profile from another organisation if those contacts have agreed to receive messages from third parties.

Learn more about spam laws in Australia.

Consumer law

Similar to physical stores, Australian consumer law applies to online businesses.

On your website, ensure that:

  • your online advertising is not false or misleading—all information posted online about your business, products or services must be accurate. This includes your website, social media, or other online platforms, such as online marketplaces
  • online reviews are genuine and have been written by those who have experienced your product or service—do not ask others to write fake reviews. You should report any fake reviews to the platform where they were posted
  • you uphold your responsibilities to customers, particularly any consumer guarantees—these do not change for online purchases
  • you comply with Australian product safety laws and Australian mandatory safety standards.

Your website should:

  • have a terms of use to cover:
    • the accuracy of your content
    • your liability for the content or material presented
    • the rights and obligations of using your site.
  • include your business's terms and conditions for your customers, and cover:
    • the products or services you are selling
    • how you sell and collect payment for these products and services
    • delivery methods
    • protection of your IP
    • requirements under Australian consumer law
    • any disclaimers.

Electronic transactions

Various legislation covers electronic transactions, including the Electronic Transactions Act 1999 (Cwlth) and the Electronic Transactions Act 2001.

These laws support the legitimate and authentic use of electronic transactions for Australia's online goods and services. They are designed to eliminate legal barriers to the effective use of electronic transactions and promote their use in business and the community.

The laws allow businesses to electronically produce information they would have previously produced in an offline form, including transaction receipts, signatures and records of sales.

There is no difference between an electronic transaction and cash or 'in-person' transactions—that is, the same laws apply to transactions made on your business website and any transaction you might make in person, for example, in a supermarket.

Read more about selling, presenting and taking payments for products and services online and ecommerce.

Electronic payment systems

Electronic payments systems are online payment systems used for electronic transactions. These systems include:

  • contactless payments (tap-and-go)
  • credit cards
  • debit cards
  • online payments
  • smart device processing (phone, tablet, wearable).

Electronic systems can be used for your online business, but before implementing one, you must consider the cost, transaction fees, ease of use and integration with your current business systems.

You may be able to pass some of the costs of electronic payment to your customers. Note: The ACCC has banned all businesses (regardless of their size) from imposing excessive transaction costs or surcharges on their customers.

Legal assistance and support

Assistance and support can be accessed to make sure that you are meeting your legal obligations online. Legal specialists and business advisers can also be engaged if you are still unsure of what you need to comply with and how you can make sure you meet these requirements.

Read the following information:

You can also use the following online tools:

Further help is available from:

You can subscribe to the Business Queensland Connect newsletter to keep updated on changes that may impact your business.

Online compliance checklist

The following checklist can be used to assess some of the main components of your online business activities.

Advertising—marketing your business online to customers

  • Does your advertising and selling process meet Australian consumer law?
  • Do you have procedures in place to ensure any emails or other marketing messages you send are not spam?
  • Do you have a procedure in place to monitor your social media pages and online review platforms to ensure there are no breaches of your legal obligations?

Privacy—capturing and storing customer information

  • Have you taken steps to protect customer privacy?
  • Does your website include a copy of your privacy policy that sets out how your business handles and protects personal information?

Copyright—using other parties images and content (IP)

  • Do all images and content on your website meet copyright requirements?
  • If you are using someone's content (IP) on your website or social media pages, do you have permission from them?

Selling goods and services sales online

  • Does your website have a terms of use policy?
  • Does your website include your business's terms and conditions?
  • Are terms and conditions for purchases and use of your website clear, accurate and accessible on your website?
  • Does your business follow fair business practices?
  • Is your business's key information, including contact details, easy to find?
  • Do you provide payment mechanisms that are easy to use and give appropriate security?
  • Do you clearly explain the security and authentication methods you use so customers can assess any risks?
  • Do you inform your customers about any specific laws or jurisdictions applicable to transactions with your business?

Also consider...